PCI DSS compliant proxy service

ABSTRACT

The innovation includes systems and methods of facilitating electronic commerce (e-commerce) via a proxy service. Such a method can include the acts of receiving a hypertext transfer protocol with secure socket layer (HTTPS) request from a client application and translating the HTTPS request to a format appropriate for an e-commerce web application. Additionally, such a method can include the steps of sending the translated request to the e-commerce web application via HTTPS and receiving a response based at least in part on the translated HTTPS request. The method can also include the acts of translating the HTTPS response to a format appropriate for the client application and sending the translated response to the client application via HTTPS. Secure information can be encrypted and stored at the client application separately from the encryption key, which can be stored by the proxy service.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Patentapplication Ser. No. 61/451,915 entitled ‘PCI DSS COMPLIANT PROXYSERVICE’ and filed Mar. 11, 2011. The entirety of the above-notedapplication is incorporated by reference herein.

TECHNICAL FIELD

The subject innovation relates to securely transporting information toand from an electronic commerce system.

BACKGROUND

As product purchases and monetary exchanges continue to emerge via theInternet, regulations have been enacted to control how thesetransactions are consummated. Generally, Internet transactions arereferred to as electronic commerce or “e-commerce” transactions, whichrefers to the act of buying and selling products and services viaelectronic systems, such as the Internet.

There has been explosive growth in the use of the Internet as a mediumfor facilitating online ordering and purchasing. However, in mostmerchant cases, the effort to build a single e-Commerce Web Applicationto service multiple consumer driven applications can be overwhelming. Inmost situations, a merchant has to build multiple e-Commerce WebApplications either acting as individual fulfillment systems orindependently connecting to a single fulfillment system.

With continued popularity and ease of these e-commerce transactions, theamount of trade conducted electronically has grown extraordinarily asInternet usage becomes commonplace in today's society. A largepercentage of electronic commerce is conducted entirely electronically,e.g., for items such as bill payment, money transfers, servicepurchases, etc. However, many e-commerce transactions involvetransportation of physical items following an on-line purchase.

Along with the emergence of e-commerce is a need for regulation togovern these types of transactions. The Payment Card Industry DataSecurity Standard (PCI DSS) is a worldwide information security standarddefined by the Payment Card Industry Security Standards Council. Thestandard increases controls related to e-commerce data in an attempt toprevent credit card fraud and other malicious attacks. The standardapplies to all organizations that hold, process, or exchange cardholderinformation from any card branded with the logo of one of the cardbrands.

SUMMARY

The following presents a simplified summary of the innovation in orderto provide a basic understanding of some aspects of the innovation. Thissummary is not an extensive overview of the innovation. It is notintended to identify key/critical elements of the innovation or todelineate the scope of the innovation. Its sole purpose is to presentsome concepts of the innovation in a simplified form as a prelude to themore detailed description that is presented later.

The subject innovation, in one aspect thereof can comprise a method offacilitating electronic commerce (e-commerce). Such a method can includethe acts of receiving a hypertext transfer protocol with secure socketlayer (HTTPS) request from a client application and translating theHTTPS request to a format appropriate for an e-commerce web application.Additionally, such a method can include the steps of sending thetranslated request to the e-commerce web application via HTTPS andreceiving a response based at least in part on the translated HTTPSrequest. The method can also include the acts of translating the HTTPSresponse to a format appropriate for the client application and sendingthe translated response to the client application via HTTPS.

In other aspects, the subject innovation can comprise an e-commercemanagement system. Such a system can include a proxy service componentthat can provide for secure communication between a client applicationand an e-commerce web application. The proxy service component caninclude a client interface component that can receive a request from theclient application and an e-commerce interface component that cantranslate the request to a format appropriate for the e-commerce webapplication, send the translated request to the e-commerce webapplication, and receive a response from the e-commerce web application.The client interface component can also translate the response to aformat appropriate for the client application and send the translatedresponse to the client application. The system can also include a proxyservice data store that can store non-sensitive information associatedwith one or more of the request or the response.

To the accomplishment of the foregoing and related ends, certainillustrative aspects of the innovation are described herein inconnection with the following description and the annexed drawings.These aspects are indicative, however, of but a few of the various waysin which the principles of the innovation can be employed and thesubject innovation is intended to include all such aspects and theirequivalents. Other advantages and novel features of the innovation willbecome apparent from the following detailed description of theinnovation when considered in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example architecture of an e-Commerce ManagementSystem in accordance with aspects of the innovation.

FIG. 2 illustrates an example workflow of an e-commerce transaction inaccordance with aspects of the innovation.

FIG. 3 shows an example API workflow of a series of transactions used ina Proxy Service API implementation.

FIG. 4 illustrates two types of data storage that can be used by a ProxyService in accordance with aspects of the innovation.

FIG. 5 illustrates an example embodiment of a data workflow that can beperformed by a Client Application as it interacts with a Proxy Service.

FIG. 6 illustrates an example data workflow of a proxy service uponreceiving a request from a client application.

FIG. 7 illustrates a block diagram of a computer operable to execute thedisclosed architecture.

FIG. 8 illustrates a schematic block diagram of an exemplary computingenvironment in accordance with the subject innovation.

DETAILED DESCRIPTION

The innovation is now described with reference to the drawings, whereinlike reference numerals are used to refer to like elements throughout.In the following description, for purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the subject innovation. It may be evident, however,that the innovation can be practiced without these specific details. Inother instances, well-known structures and devices are shown in blockdiagram form in order to facilitate describing the innovation.

As used in this application, the terms “component” and “system” areintended to refer to a computer-related entity, either hardware, acombination of hardware and software, software, or software inexecution. For example, a component can be, but is not limited to being,a process running on a processor, a processor, an object, an executable,a thread of execution, a program, and/or a computer. By way ofillustration, both an application running on a server and the server canbe a component. One or more components can reside within a processand/or thread of execution, and a component can be localized on onecomputer and/or distributed between two or more computers.

As used herein, the term to “infer” or “inference” refer generally tothe process of reasoning about or inferring states of the system,environment, and/or user from a set of observations as captured viaevents and/or data. Inference can be employed to identify a specificcontext or action, or can generate a probability distribution overstates, for example. The inference can be probabilistic—that is, thecomputation of a probability distribution over states of interest basedon a consideration of data and events. Inference can also refer totechniques employed for composing higher-level events from a set ofevents and/or data. Such inference results in the construction of newevents or actions from a set of observed events and/or stored eventdata, whether or not the events are correlated in close temporalproximity, and whether the events and data come from one or severalevent and data sources.

Generally, the subject innovation relates to securely transportinginformation to and from an electronic commerce system. The subjectinnovation can provide an e-Commerce solution that efficiently and costeffectively facilitates product querying and online ordering from anexisting e-Commerce Web Application in other consumer drivenapplications without jeopardizing PCI DSS rules and regulations.

In aspects, systems and methods of the subject innovation can provide aProxy Service that can adhere to Payment Card Industry Data SecurityStandard (PCI DSS) rules and regulations and can communicate with aSecure Socket Layer (SSL) encrypted electronic commerce (e-Commerce) WebApplication on behalf of a Client Application. As used herein, SSL isintended to also encompass related protocols, such as Transport LayerSecurity. The Proxy Service can organize data received from thee-Commerce Web Application into a serialized data object. Any organizeddata that is disallowed for transport in this context, according to PCIDSS rules and regulations, can be encrypted with a cipher (e.g.,256-bit, etc.) before responding to the Client Application. The ClientApplication, which does not have the salt key, can relay the encrypteddata back to the Proxy Service but cannot decrypt or make use of theencrypted data itself. The Proxy Service, which does have the originalsalt key, can decrypt and once again make use of the encrypted data.

In accordance with the innovation, FIG. 1 illustrates an examplearchitecture of an e-Commerce Management System 100 in accordance withaspects of the innovation. Generally, the system 100 can include a ProxyService Component 102 and a Proxy Service data store 104 that can enablean e-commerce transaction between a Client Application 106 and ane-Commerce Web Application 108 by facilitating secure e-commerce datatransfer, e.g., via the Internet. In aspects, Proxy Service Component102 can provide a PCI DSS compliant Proxy Service that can be used tofacilitate the secure transport of product and transaction data from anexisting e-Commerce Web Application 108 (e.g., an existing web-basedmerchant interface, etc.) to and/or from a Client Application 106, whichis the environment that will interface with a customer (which can be anyof a variety of Client Applications, such as different browsers, mobileapplications, etc.).

Proxy Service Component 102 can manage two sessions for everytransaction. Proxy component 102 can communicate with Client Application106 via a client interface component 110 that can manage the sessionwith Client Application 106 (e.g., receiving requests from the clientapplication, translating responses to a format appropriate for theclient application, sending the translated response to the clientapplication, etc.). In the session with Client Application 106, someinformation can be stored by the Proxy Service Component 102 at theProxy Service data store 104 (e.g., non-sensitive information), someinformation can be sent to the Client Application 106 (e.g.,non-sensitive information, and some sensitive information after beingencrypted, etc.) to be stored at a client data store 114, and someinformation can be stored at both, as described further herein.Additionally, proxy component 102 can communicate with e-Commerce WebApplication 108 via an e-commerce interface component 112 that canmanage the session with e-Commerce Web Application 108 (e.g.,translating requests to a format appropriate for the e-Commerce WebApplication, sending requests to the e-Commerce Web Application,receiving responses from the e-Commerce Web Application, etc.). Inaspects, the session with e-Commerce Web Application 108 can beimplemented by proxy component 102 (e.g., by way of e-commerce interfacecomponent 112) via an Application Programming Interface (API) tailoredspecifically to the e-Commerce Web Application 108. In variousembodiments, Proxy Service 102 can enables a Programmer to create an APIto communicate with the e-Commerce Web Application 108. In some aspects,all web-based communications interacting with the Proxy ServiceComponent 102 can take place via Programmer implemented APIs. AProgrammer can utilize the Proxy Service Component 102 to interpret ane-Commerce Web Application 108 and can translate it into a set of APIfunctions specific to the e-Commerce Web Application 108. These APIfunctions can allow multiple Client Applications 106 to interface withthe e-Commerce Web Application 108 across SSL, via Proxy ServiceComponent 102.

According to one aspect of the invention, every transaction that takesplace via the Proxy Service Component 102 can strictly adhere to theguidelines set forth by the PCI Security Standards Council fore-commerce transactions, the Payment Card Industry Data SecurityStandard (PCI DSS). In such aspects, all web-based communicationsinteracting with the Proxy Service 102 can take place over SSL. Allsessions with e-Commerce Web Application 108 can be isolated andabstracted from the Client Application 106 to prevent (or alleviate)man-in-the-middle attacks. The Proxy Service Component 102 need not savedata related to credit card holder information on any data storagedevice including, but not limited to, local hard drives, network mountedhard drives, database applications, or removable media, any or all ofwhich are intended to be encompassed within Proxy Service data store104. In the event that data must be maintained between proxied actions,it can be encrypted by Proxy Service Component 102 and sent to theClient Application 106 to be stored in client data store 114 for lateruse as substantially any local data storage mechanism accessible to theClient Application (e.g. cookie, local shared object, javascript object,etc). The Client Application 106 can return the encrypted data back tothe Proxy Service 102 on a subsequent request, where it can then bedecrypted and re-used. In various aspects, Client Application 106 is notprovided the salt key to decrypt the encrypted data stored in clientdata store 114.

FIG. 2 illustrates an example workflow or method 200 of an e-commercetransaction in accordance with aspects of the innovation. While, forpurposes of simplicity of explanation, the one or more methodologiesshown herein, e.g., in the form of a flow chart or workflow diagram, areshown and described as a series of acts, it is to be understood andappreciated that the subject innovation is not limited by the order ofacts, as some acts may, in accordance with the innovation, occur in adifferent order and/or concurrently with other acts from that shown anddescribed herein. For example, those skilled in the art will understandand appreciate that a methodology could alternatively be represented asa series of interrelated states or events, such as in a state diagram.Moreover, not all illustrated acts may be required to implement amethodology in accordance with the innovation.

Workflow 200 can begin at 202, wherein the Client Application 106 cansubmit an HTTPS request (e.g., GET or POST form data, PUT, DELETE, etc.)at 202. This can be transmitted at 204 as an HTTPS (hypertext transferprotocol with SSL) request to Proxy Service Component 102. Afterreceiving the request, at 206 Proxy Service Component 102 can translatethe request to a format appropriate for e-Commerce Web Application 108,which will depend on aspects of e-Commerce Web Application 108, and canbe based on an API developed to work specifically with e-Commerce WebApplication 108, as explained herein. At 208, the translated request canbe sent via SSL by Proxy Service Component 102 to e-Commerce WebApplication 108. E-Commerce Web Application 108 can process the requestat 210, and respond with the resulting data at 212, which will depend onthe nature of the request and the specifics e-Commerce Web Application108 (e.g., whether a product is being selected, payment information isbeing provided, etc.). At 214, the response can be sent via SSL frome-Commerce Web Application 108 to Proxy Service Component 102. At 216,the received response can be translated to a format appropriate forClient Application 106. The translated response can be sent via SSL at218 from Proxy Service Component 102 to Client Application 106. At 220,Client Application 106 can receive the response, which can be presentedto a client interacting with Client Application 106.

From the standpoint of Proxy Service Component 102, the flow of FIG. 2can be substantially as follows. An HTTPS request can be received at204, translated to a format appropriate for e-Commerce Web Application108 at 206, and the translated request can be sent via SSL at 208. Theworkflow can continue for the Proxy Service Component 102 at 214, wherean HTTPS response is received. The response can be translated at 216 toa format appropriate for Client Application 106, and the translatedresponse can be sent via SSL at 218. In aspects, communications withClient Application 106 can take place via client interface component110, while communications between Proxy Service Component 102 ande-Commerce Web Application 108 can take place via e-commerce interfacecomponent 112.

Referring to the workflow or method of FIG. 3, according to variousaspects of the innovation, the Proxy Service Component 102 can beutilized by a programmer to create an Application Programming Interface(API) tailored to a specific e-Commerce Web Application 108. Inembodiments, all web-based communications interacting with the ProxyService Component 102 can take place via Programmer-implemented APIs. Insuch embodiments, a Programmer can utilize the Proxy Service Component102 to interpret an e-Commerce Web Application 108 and can translate itinto a set of API functions specific to the e-Commerce Web Application108. These API functions can allow multiple Client Applications tointerface with the same e-Commerce Web Application 108 across SSL.

With continued reference to FIG. 3, an example API workflow or method300 of a series of transactions used in a Proxy Service APIimplementation is shown. It is to be understood that the specific actsshown are merely examples, and that in connection with variouse-Commerce Web Applications 108, additional or alternative acts may takeplace that can also be implemented via an API created via Proxy ServiceComponent 102. Also, it is to be understood that Client Application 102is responsible for making requests to the Proxy Service 102 in ameaningful sequence, and this sequence of actions (e.g., actions302-312) can differ from one implementation to the next. Actions 302-312are only one such sequence of actions.

The example workflow 300 can include the following acts. At 302, ClientApplication 106 can retrieve product information from the e-CommerceWebsite Application 108 via the Proxy Service 102. This retrieval ofproduct information can be via an HTTP and/or HTTPS GET request, and canproceed according to a workflow such as workflow 200 described inconnection with FIG. 2, encompassing steps 202-220. The retrieval ofproduct information via HTTP GET in this instance (as opposed to HTTPS)can remain compliant with PCI DSS in instances when a stateless (e.g.anonymous) request can be made to the e-Commerce Website Application108. Next, at 304, the Client Application 106 can add a product to ashopping cart on the e-Commerce Website Application 108 via the ProxyService 102 using proxy data. As with action 302, action 304 (as well asactions 306-312) can proceed according to workflow 200 of FIG. 2;however, for ease of illustration, specific steps of workflow 200 areonly indicated in connection with action 302. At 306, Client Application106 can submit shipping information to the e-Commerce WebsiteApplication 108 via the Proxy Service 102 using proxy data, and at 308,the Client Application 106 can submit billing information to thee-Commerce Website Application 108 via the Proxy Service 102 using proxydata. Next, at 310, Client Application 106 can submit a request toreview order information from the e-Commerce Website Application 108 viathe Proxy Service 102 using proxy data. Finally, at 312, ClientApplication 106 can submit the current order to the e-Commerce WebsiteApplication 108 via the Proxy Service 102 using proxy data. Again, as isto be understood, the specific sequence of actions will depend uponrequests made via the Client Application 106, and may also depend on thespecific nature of e-Commerce Web Application 108 (which could providefor or necessitate additional or alternative actions, etc.).

FIG. 4 illustrates two types of data storage 400 that can be used byProxy Service 102, client application storage 402 (e.g., clientapplication data store 114, etc.) and proxy service storage 404 (e.g.,proxy service data store 104, etc.). Client application storage caninclude both unencrypted data 406 and encrypted data 408. In variousaspects, the only piece of data that is consistently shared between thetwo data stores is the Proxy Service generated session ID 410, that canbe used for Proxy Service Component 102 to communicate with ClientApplication 106, for example, via client interface component 110. Anydata that is required across programmed workflow actions, but that isdeemed too sensitive for typical hard drive storage, according to PCIDSS, can be encrypted with a 256-bit cipher using a private salt key,and sent to the Client Application 106 as an encrypted serialized datahash to be relayed between transactions. Because the Proxy Service 102is the owner of the original salt key (which is not provided to clientapplication 106), the Proxy Service 102 can decrypt and re-use datastored within the encrypted serialized data hash. Any data that isrequired across programmed workflow actions that is not deemed assensitive information, according to PCI DSS, can be sent to the ClientApplication 106 as plain text to be relayed between transactions, andmay optionally be stored in a local database accessible to the ProxyService 102. Examples of such non-sensitive data may include, but is notlimited to, Proxy Session ID 410, e-Commerce Web Application Session ID,Product Title, Product Description, Product Price, and e-Commerce WebApplication Order ID.

In accordance with aspects of the innovation, FIG. 5 illustrates anembodiment of a data workflow or method 500 that can be performed byClient Application 106 as it interacts with Proxy Service 102. Workflow500 can begin at 502, and proceed to step 504, wherein user input datacan be collected (e.g., selecting a product, submitting billing orshipping information, etc.). Next, at step 506, Client Application 106can determine if any previously collected encrypted session data wasstored or not. If it was, the workflow can proceed to 508, where theClient Application 106 can retrieve the stored session object, forexample, by reading the encrypted session object at 510 from clientstorage 512 (e.g., client data store 114, etc.). Then, at 514, theencrypted data can be combined with the collected user input. At 516,the Client Application can build a request object (e.g., GET, POST,etc.) for the intended Proxy Service 102 functionality, based on theuser input (either with or without encrypted session data, depending onthe determination at 506). The Client Application 106 can call the ProxyService 102 at 518, and send the request (e.g., via HTTPS, etc.) to itat 520. At 522, the Proxy Service 102 can take any appropriate actionsbased on the request sent at 520, and can send a response (e.g., viaHTTPS, etc.) at 524 back to the Client Application 106. At 526, theClient Application can organize the response data (e.g., generate outputto a user, etc.), and at 528 can determine if the response data includedencrypted data. If not, workflow 500 can end at 502 (where it can beginagain if appropriate, based on user input). If the response 524 includesencrypted data (e.g., a positive determination is made at 528), then at530, the encrypted data can be stored, by writing the encrypted sessionobject at 510 to the client storage 512.

Turning to FIG. 6, illustrated is an example data workflow or method 600of a proxy service 102 upon receiving a request (e.g., via HTTPS, etc.)from a client application 106. In aspects, workflow 600 can beimplemented at step 522 of workflow 500, although it need not be. Theworkflow 600 can begin at 602 and proceed to 604, wherein the proxyservice 102 can organize the submitted request data (e.g., of request520, if workflow 600 is implemented in conjunction with workflow 500).Next, at 606, proxy service 102 can determine if any encrypted sessiondata was submitted or not as part of the request. If so, the workflow600 can proceed to step 608, where the salt key can be rebuilt and theencrypted session data can be decrypted. At 610, the decrypted data canbe combined with the unencrypted data. Next, at 612, the proxy service102 can organize the request data (e.g., either just unencrypted data,or unencrypted data combined with decrypted data if a positivedetermination was made at 606) into proper API request parameters. At614, the proxy service 102 can execute the appropriate proxy API callbased at least in part on the API request parameters organized at 612.Proxy API 616 (which can, in aspects, be implemented as a sub-componentof proxy component 102, such as in connection with e-commerce interfacecomponent 112) can, at 618, transform the API request parameters into aformat that is compatible with e-Commerce Web Application 108. At 620,the proxy component 102 (e.g., via Proxy API 616, etc.) can submit thetransformed request parameters to the e-Commerce Web Application 108 asrequest 622. At 624, e-commerce web application 108 can perform anyappropriate actions based on request 622 (e.g., process the request andrespond with any resulting data, etc.), and at 626, send a response toproxy component 102. After receiving the response at 626, the Proxy API616 at 628 can transform the response data into a format that iscompatible with the Proxy Service 102. At 630, the proxy service 102 canorganize the response data into an appropriate format for transmissionto client application 106. This can involve a determination made at 632whether any sensitive data (e.g., data indicated as sensitive accordingto PCI DSS, etc.) was returned to proxy service 102 as part of thetransformed response data. If sensitive data was returned, then at 634,the proxy service can rebuild the salt key and encrypt the sensitivedata. If not, or once the sensitive data has been encrypted, then aresponse can be generated for the client application 106 (e.g.,organizing the data in an appropriate format for the client application106, etc.) and the workflow can end at 602, with proxy service 102returning appropriate response data to the client application 106.

Referring now to FIG. 7, there is illustrated a block diagram of acomputer operable to execute the disclosed architecture. In order toprovide additional context for various aspects of the subjectinnovation, FIG. 7 and the following discussion are intended to providea brief, general description of a suitable computing environment 700 inwhich the various aspects of the innovation can be implemented. Whilethe innovation has been described above in the general context ofcomputer-executable instructions that may run on one or more computers,those skilled in the art will recognize that the innovation also can beimplemented in combination with other program modules and/or as acombination of hardware and software.

Generally, program modules include routines, programs, components, datastructures, etc., that perform particular tasks or implement particularabstract data types. Moreover, those skilled in the art will appreciatethat the inventive methods can be practiced with other computer systemconfigurations, including single-processor or multiprocessor computersystems, minicomputers, mainframe computers, as well as personalcomputers, hand-held computing devices, microprocessor-based orprogrammable consumer electronics, and the like, each of which can beoperatively coupled to one or more associated devices.

The illustrated aspects of the innovation may also be practiced indistributed computing environments where certain tasks are performed byremote processing devices that are linked through a communicationsnetwork. In a distributed computing environment, program modules can belocated in both local and remote memory storage devices.

A computer typically includes a variety of computer-readable media.Computer-readable media can be any available media that can be accessedby the computer and includes both volatile and nonvolatile media,removable and non-removable media. By way of example, and notlimitation, computer-readable media can comprise computer storage mediaand communication media. Computer storage media includes both volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such ascomputer-readable instructions, data structures, program modules orother data. Computer storage media includes, but is not limited to, RAM,ROM, EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disk (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can be accessed by the computer.

Communication media typically embodies computer-readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism, and includesany information delivery media. The term “modulated data signal” means asignal that has one or more of its characteristics set or changed insuch a manner as to encode information in the signal. By way of example,and not limitation, communication media includes wired media such as awired network or direct-wired connection, and wireless media such asacoustic, RF, infrared and other wireless media. Combinations of the anyof the above should also be included within the scope ofcomputer-readable media.

With reference again to FIG. 7, the exemplary environment 700 forimplementing various aspects of the innovation includes a computer 702,the computer 702 including a processing unit 704, a system memory 706and a system bus 708. The system bus 708 couples system componentsincluding, but not limited to, the system memory 706 to the processingunit 704. The processing unit 704 can be any of various commerciallyavailable processors. Dual microprocessors and other multi-processorarchitectures may also be employed as the processing unit 704.

The system bus 708 can be any of several types of bus structure that mayfurther interconnect to a memory bus (with or without a memorycontroller), a peripheral bus, and a local bus using any of a variety ofcommercially available bus architectures. The system memory 706 includesread-only memory (ROM) 710 and random access memory (RAM) 712. A basicinput/output system (BIOS) is stored in a non-volatile memory 710 suchas ROM, EPROM, EEPROM, which BIOS contains the basic routines that helpto transfer information between elements within the computer 702, suchas during start-up. The RAM 712 can also include a high-speed RAM suchas static RAM for caching data.

The computer 702 further includes an internal hard disk drive (HDD) 714(e.g., EIDE, SATA), which internal hard disk drive 714 may also beconfigured for external use in a suitable chassis (not shown), amagnetic floppy disk drive (FDD) 716, (e.g., to read from or write to aremovable diskette 718) and an optical disk drive 720, (e.g., reading aCD-ROM disk 722 or, to read from or write to other high capacity opticalmedia such as the DVD). The hard disk drive 714, magnetic disk drive 716and optical disk drive 720 can be connected to the system bus 708 by ahard disk drive interface 724, a magnetic disk drive interface 726 andan optical drive interface 728, respectively. The interface 724 forexternal drive implementations includes at least one or both ofUniversal Serial Bus (USB) and IEEE 1394 interface technologies. Otherexternal drive connection technologies are within contemplation of thesubject innovation.

The drives and their associated computer-readable media providenonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For the computer 702, the drives and mediaaccommodate the storage of any data in a suitable digital format.Although the description of computer-readable media above refers to aHDD, a removable magnetic diskette, and a removable optical media suchas a CD or DVD, it should be appreciated by those skilled in the artthat other types of media which are readable by a computer, such as zipdrives, magnetic cassettes, flash memory cards, cartridges, and thelike, may also be used in the exemplary operating environment, andfurther, that any such media may contain computer-executableinstructions for performing the methods of the innovation.

A number of program modules can be stored in the drives and RAM 712,including an operating system 730, one or more application programs 732,other program modules 734 and program data 736. All or portions of theoperating system, applications, modules, and/or data can also be cachedin the RAM 712. It is appreciated that the innovation can be implementedwith various commercially available operating systems or combinations ofoperating systems.

A user can enter commands and information into the computer 702 throughone or more wired/wireless input devices, e.g., a keyboard 738 and apointing device, such as a mouse 740. Other input devices (not shown)may include a microphone, an IR remote control, a joystick, a game pad,a stylus pen, touch screen, or the like. These and other input devicesare often connected to the processing unit 704 through an input deviceinterface 742 that is coupled to the system bus 708, but can beconnected by other interfaces, such as a parallel port, an IEEE 1394serial port, a game port, a USB port, an IR interface, etc.

A monitor 744 or other type of display device is also connected to thesystem bus 708 via an interface, such as a video adapter 746. Inaddition to the monitor 744, a computer typically includes otherperipheral output devices (not shown), such as speakers, printers, etc.

The computer 702 may operate in a networked environment using logicalconnections via wired and/or wireless communications to one or moreremote computers, such as a remote computer(s) 748. The remotecomputer(s) 748 can be a workstation, a server computer, a router, apersonal computer, portable computer, microprocessor-based entertainmentappliance, a peer device or other common network node, and typicallyincludes many or all of the elements described relative to the computer702, although, for purposes of brevity, only a memory/storage device 750is illustrated. The logical connections depicted include wired/wirelessconnectivity to a local area network (LAN) 752 and/or larger networks,e.g., a wide area network (WAN) 754. Such LAN and WAN networkingenvironments are commonplace in offices and companies, and facilitateenterprise-wide computer networks, such as intranets, all of which mayconnect to a global communications network, e.g., the Internet.

When used in a LAN networking environment, the computer 702 is connectedto the local network 752 through a wired and/or wireless communicationnetwork interface or adapter 756. The adapter 756 may facilitate wiredor wireless communication to the LAN 752, which may also include awireless access point disposed thereon for communicating with thewireless adapter 756.

When used in a WAN networking environment, the computer 702 can includea modem 758, or is connected to a communications server on the WAN 754,or has other means for establishing communications over the WAN 754,such as by way of the Internet. The modem 758, which can be internal orexternal and a wired or wireless device, is connected to the system bus708 via the serial port interface 742. In a networked environment,program modules depicted relative to the computer 702, or portionsthereof, can be stored in the remote memory/storage device 750. It willbe appreciated that the network connections shown are exemplary andother means of establishing a communications link between the computerscan be used.

The computer 702 is operable to communicate with any wireless devices orentities operatively disposed in wireless communication, e.g., aprinter, scanner, desktop and/or portable computer, portable dataassistant, communications satellite, any piece of equipment or locationassociated with a wirelessly detectable tag (e.g., a kiosk, news stand,restroom), and telephone. This includes at least Wi-Fi and Bluetooth™wireless technologies. Thus, the communication can be a predefinedstructure as with a conventional network or simply an ad hoccommunication between at least two devices.

Wi-Fi allows connection to the Internet from a couch at home, a bed in ahotel room, or a conference room at work, without wires. Wi-Fi is awireless technology similar to that used in a cell phone that enablessuch devices, e.g., computers, to send and receive data indoors and out;anywhere within the range of a base station. Wi-Fi networks use radiotechnologies called IEEE 802.11 (a, b, g, etc.) to provide secure,reliable, fast wireless connectivity. A Wi-Fi network can be used toconnect computers to each other, to the Internet, and to wired networks(which use IEEE 802.3 or Ethernet). Wi-Fi networks operate in theunlicensed 2.4 and 5 GHz radio bands, at an 11 Mbps (802.11a) or 54 Mbps(802.11b) data rate, for example, or with products that contain bothbands (dual band), so the networks can provide real-world performancesimilar to the basic 10BaseT wired Ethernet networks used in manyoffices.

Referring now to FIG. 8, there is illustrated a schematic block diagramof an exemplary computing environment 800 in accordance with the subjectinnovation. The system 800 includes one or more client(s) 802. Theclient(s) 802 can be hardware and/or software (e.g., threads, processes,computing devices). The client(s) 802 can house cookie(s) and/orassociated contextual information by employing the innovation, forexample.

The system 800 also includes one or more server(s) 804. The server(s)804 can also be hardware and/or software (e.g., threads, processes,computing devices). The servers 804 can house threads to performtransformations by employing the innovation, for example. One possiblecommunication between a client 802 and a server 804 can be in the formof a data packet adapted to be transmitted between two or more computerprocesses. The data packet may include a cookie and/or associatedcontextual information, for example. The system 800 includes acommunication framework 806 (e.g., a global communication network suchas the Internet) that can be employed to facilitate communicationsbetween the client(s) 802 and the server(s) 804.

Communications can be facilitated via a wired (including optical fiber)and/or wireless technology. The client(s) 802 are operatively connectedto one or more client data store(s) 808 that can be employed to storeinformation local to the client(s) 802 (e.g., cookie(s) and/orassociated contextual information). Similarly, the server(s) 804 areoperatively connected to one or more server data store(s) 810 that canbe employed to store information local to the servers 804.

What has been described above includes examples of the innovation. Itis, of course, not possible to describe every conceivable combination ofcomponents or methodologies for purposes of describing the subjectinnovation, but one of ordinary skill in the art may recognize that manyfurther combinations and permutations of the innovation are possible.Accordingly, the innovation is intended to embrace all such alterations,modifications and variations that fall within the spirit and scope ofthe appended claims. Furthermore, to the extent that the term “includes”is used in either the detailed description or the claims, such term isintended to be inclusive in a manner similar to the term “comprising” as“comprising” is interpreted when employed as a transitional word in aclaim.

What is claimed is:
 1. A method of facilitating electronic commerce(e-commerce), comprising: receiving at a proxy service a hypertexttransfer protocol with secure socket layer (HTTPS) request from a clientapplication; translating the HTTPS request to a format appropriate foran e-commerce web application; sending the translated request to thee-commerce web application via HTTPS; receiving a response at the proxyservice based at least in part on the translated HTTPS request, whereinthe response includes sensitive data; encrypting the sensitive data witha salt key, wherein the salt key is utilized to decrypt the sensitivedata at a different time; translating the response to a formatappropriate for the client application; and sending the translatedresponse including the encrypted sensitive data from the proxy serviceto the client application via HTTPS without storing the sensitive dataat the proxy service; and storing the salt key at the proxy servicewithout sending the salt key to the client application, wherein theclient application neither encrypts nor decrypts the sensitive data. 2.The method of claim 1, wherein the request comprises an encryptedsession object.
 3. The method of claim 2, further comprising: rebuildingthe salt key associated with the encrypted session object; anddecrypting the encrypted session object based at least in part on therebuilt salt key.
 4. The method of claim 1, further comprising:organizing the HTTPS request into proper application programminginterface (API) request parameters; and executing an API call based atleast in part on the API request parameters.
 5. The method of claim 1,further comprising organizing the response data.
 6. The method of claim5, wherein organizing the response data comprises: receiving theresponse data at the client application; determining that the responseincludes encrypted data; and storing the encrypted data in a local datastorage mechanism.
 7. The method of claim 1, wherein encrypting thesensitive data with the salt key is based at least in part on using a256-bit cypher.
 8. The method of claim 1, wherein the HTTPS request isone of a GET request or a POST request.
 9. The method of claim 1,further comprising complying with Payment Card Industry Data SecurityStandards (PCI DSS).
 10. The method of claim 1, wherein accessing theclient application request further comprises: receiving an encryptedsession object from the client application; determining that previouslycollected encryption session data was stored; retrieving the previouslycollected encrypted session data; and combining the previously encryptedsession data with user input data, wherein the request object comprisesthe previously collected encrypted session data.
 11. The method of claim1, wherein encrypting the sensitive data comprises encrypting dataindicated as sensitive according to Payment Card Industry Data SecurityStandards (PCI DSS).
 12. An e-commerce management system, comprising: aproxy service component implemented via one or more processors thatprovides for secure communication between a client application and ane-commerce web application, comprising: a client interface componentthat receives a request comprising an encrypted session object from theclient application, wherein the encrypted session object was previouslyencrypted based at least in part on a salt key, wherein the proxyservice component rebuilds the salt key associated with the encryptedsession object and decrypts the encrypted session object based at leastin part on the rebuilt salt key; an e-commerce interface component thattranslates the request to a format appropriate for the e-commerce webapplication, sends the translated request to the ecommerce webapplication, and receives a response from the e-commerce webapplication, wherein the client interface component translates theresponse to a format appropriate for the client application and sendsthe translated response to the client application without transmittingthe salt key or the rebuilt salt key; and a proxy service data storethat stores non-sensitive information associated with one or more of therequest or the response.
 13. The system of claim 12, wherein theresponse and the request are sent and received via HTTPS.
 14. The systemof claim 13, wherein the HTTPS request is one of a GET request, a POSTrequest, a PUT request, or a DELETE request.
 15. The system of claim 12,wherein the response comprises sensitive data, and wherein the proxyservice component rebuilds a salt key associated with the sensitive dataand encrypts the sensitive data with the salt key.
 16. The system ofclaim 12, wherein the e-commerce management system complies with PaymentCard Industry Data Security Standards (PCI DSS).
 17. The system of claim12, wherein the request received from the client application comprises arequest object comprising user input data and an encrypted sessionobject.
 18. The system of claim 12, wherein the response translated forthe client application comprises a response object comprising anencrypted session object and client application requested user responsedata.
 19. The system of claim 12, wherein the encrypted session objectis stored at the client application and the encrypted session object isnot stored at the proxy service data store.
 20. The system of claim 12,wherein the client application does not include the salt key and theclient application cannot decrypt the encrypted session object.